Winter 2023 Product Enhancement Recap: Stopping Email Platform Attacks Before They Snowball

This winter, Abnormal added three new Knowledge Bases, multi-tenant management, and more to protect cloud users against email platform attacks.
January 31, 2023

During these cold, dark months, Abnormal was heating up, lighting the path to email security success as we released a variety of product enhancements aimed at solving the broader problems surrounding the cloud email platform… How do organizations protect the email platform itself? How can you effectively secure and manage a fragmented, multi-tenant environment? Is there a way to better understand how users are behaving? Is there a singular location where security leaders can see their third-party applications and understand what each one is allowed to do?

We sought to find answers to those questions. A term you’ll hear from Abnormal quite often is “email platform attack,” which is a growing threat to organizations. This segment of the threat landscape involves attacks that tend to skip traditional phishing tactics in favor of directly compromising cloud email environments. One common example is an organization that has not disabled legacy authentication in Microsoft 365. This one, seemingly innocuous configuration allows attackers to bypass MFA entirely—something we saw in the news earlier this year.

So, what has Abnormal actually released this quarter? Let’s dig in.

Three New Knowledge Bases

The first stop on our Winter Wonderland Tour is at our new Knowledge Bases.

You may already be familiar with VendorBase™, a Knowledge Base aimed at detecting unusual vendor activity, scoring vendors based on risk, and blocking those vendors that are deemed to be a threat to your organization. In a similar fashion, these new Knowledge Bases ingest thousands of signals across your cloud email platform to build dynamic behavioral profiles connecting your users, integrated third-party applications, and mail tenants.

Putting this data directly into your Abnormal Portal can enrich investigation when anomalous activity is detected for a given user, as well as enhance your application and tenant hygiene. Better data leads to better decisions, and better decisions lead to a more secure email environment.


AppBase centralizes app activity data, permissions, and key metadata for all applications integrated into your cloud email platform. We already see many of our customers using AppBase to uncover previously unknown applications lurking as shadow IT within their cloud email platform.

Product Enhance1

Beyond this hygiene use case though, AppBase can be used to identify risky applications—whether over-permissioned or simply unusual—and then track ongoing activity to conduct a thorough and expeditious investigation. AppBase helps you discover whether the app is truly malicious, or if it’s a simple case of a savvy user skirting install policies to download a fancy new calendar extension.

Product Enhance2

At the end of the day, either scenario presents a risk, and it’s crucial to identify it so you can determine the next course of action.


Applications don’t install themselves, so the nexus for all suspicious activity is often the users in your environment. PeopleBase provides a directory of each of the active users on your cloud email platform. It uses contextual, behavioral data to build a dynamic user genome, along with an activity timeline of recent events such as sign-on patterns, suspicious email activity, common devices and IP addresses, and more.

Product Enhance3

PeopleBase provides insight into malicious email trends for a given user, configuration changes that user has executed, and applications the user has recently installed. And in addition, Abnormal paints a comprehensive portrait of who your users are, where they are, and what they’re doing—helping you then determine if they are who they say they are.


Whether you have one mail tenant or fifty, these hubs of activity that ultimately constitute the surface of the cloud email platform can open the door to a variety of risks. TenantBase provides a catalog of each of the email tenants Abnormal Security protects, along with a running timeline that documents changes to conditional access policies, new users, user privilege changes, and new app integrations. Many recent attacks have been executed by attackers gaining access and compromising mail tenants, so it is critical to remain aware of changes as they occur.

Product Enhance4

All three new Knowledge Bases, as well as the existing VendorBase, are now available for free inside the Abnormal platform.

Security Posture Management

With any great snowman, you need a robust base: the Knowledge Bases. But think of Security Posture Management,our newest add-on product, as the body, coal, and carrot of your Abnormal Frosty.

Product Enhance5

Security Posture Management uses the data within the behavioral profiles built by PeopleBase, AppBase, and TenantBase to determine when a potentially harmful or unexpected configuration change has occurred. It then highlights these changes to administrators, helping security teams understand and take action to fill configuration gaps, as Abnormal works to improve the risk posture of cloud email environments.

Product Enhance6

With dynamic monitoring aimed at surfacing only high-impact changes to cut down on noise, actionable configuration insights to help you understand exactly what occurred, and workflow management that provides a quick path to acknowledge and identify next steps, Security Posture Management completes the cloud email security puzzle by proactively defending against email platform threats. Meanwhile, Abnormal’s best-in-class Inbound Email Security continues to handle those threat actors in the inbox.

Multi-Tenant Management

What do holding companies and organizations that have undergone a recent merger or acquisition have in common? First, probably something about winter since that’s the theme of the article… Perhaps they are in the middle of a financial freeze? Secondly, they need a way to effectively manage and secure multiple mail tenants.

Product Enhance7

Abnormal has answered this call with its new Multi-Tenant Management functionality. Gone are the days of long and arduous processes to manually link new tenants to the Abnormal portal. In three simple steps, our customers can now add a child tenant and then configure appropriate role-based access controls (RBAC) as needed. Here is the workflow:

  1. Navigate to Settings and click Add New Tenants.

  2. Name the new tenant.

  3. Grant access to the workspace.

I don’t know about you, readers, but I’m exhausted from typing that. I need a hot chocolate.

What’s Coming in Spring 2023?

Winter may be on its way out, but Abnormal is just getting started this year. Schedule a demo today to discover more from Abnormal, or if you’re already a customer, chat with our customer success team to receive answers to all of your questions.

Either way, be on the lookout for our Spring update … and beyond. Happy recap to all, and to all a good night.

Interested in learning more about the Abnormal platform? Schedule a demo today!

Schedule a Demo
Winter 2023 Product Enhancement Recap: Stopping Email Platform Attacks Before They Snowball

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B Earn Your CPE Credits with Abnormal
Earn your continuing education credits with ISC2 by viewing cybersecurity content from Abnormal Security.
Read More
B Seg Lessons
Discover key insights gleaned from replacing 100+ SEGs for Abnormal customers.
Read More
B Europe Attack Data Blog
Discover what our research uncovered about the European threat landscape and attack trends for organizations in the region.
Read More
Abnormal aims to provide superior detection of email attacks while also directly and indirectly influencing the security awareness of your employees.
Read More
B 6 3 24 BEC Attacks
Discover how cybercriminals obtain corporate data from brokers like ZoomInfo and Apollo to enable targeted business email compromise (BEC) attacks.
Read More
B Addressing Account Takeovers Blog
Discover how security leaders are protecting their organizations against account takeover with insights from our survey of 300 cybersecurity stakeholders.
Read More